MITRE ATT&CK Technique
Persistence
T1137.005
Description
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules) Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)
Supported Platforms
Windows
Office Suite
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2019-11-07T20:00:25.560Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may abuse Microsoft Outlook rules to obtain '
'persistence on a compromised system. Outlook rules allow a '
'user to define automated behavior to manage email messages. A '
'benign rule might, for example, automatically move an email '
'to a particular folder in Outlook if it contains specific '
'words from a specific sender. Malicious Outlook rules can be '
'created that can trigger code execution when an adversary '
'sends a specifically crafted email to that user.(Citation: '
'SilentBreak Outlook Rules)\n'
'\n'
'Once malicious rules have been added to the user’s mailbox, '
'they will be loaded when Outlook is started. Malicious rules '
'will execute when an adversary sends a specifically crafted '
'email to the user.(Citation: SilentBreak Outlook Rules)',
'external_references': [{'external_id': 'T1137.005',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1137/005'},
{'description': 'Damian Pfammatter. (2018, September '
'17). Hidden Inbox Rules in Microsoft '
'Exchange. Retrieved October 12, '
'2021.',
'source_name': 'Pfammatter - Hidden Inbox Rules',
'url': 'https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/'},
{'description': 'Fox, C., Vangel, D. (2018, April '
'22). Detect and Remediate Outlook '
'Rules and Custom Forms Injections '
'Attacks in Office 365. Retrieved '
'February 4, 2019.',
'source_name': 'Microsoft Detect Outlook Forms',
'url': 'https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack'},
{'description': 'Landers, N. (2015, December 4). '
'Malicious Outlook Rules. Retrieved '
'February 4, 2019.',
'source_name': 'SilentBreak Outlook Rules',
'url': 'https://silentbreaksecurity.com/malicious-outlook-rules/'},
{'description': 'SensePost. (2017, September 21). '
'NotRuler - The opposite of Ruler, '
'provides blue teams with the ability '
'to detect Ruler usage against '
'Exchange. Retrieved February 4, '
'2019.',
'source_name': 'SensePost NotRuler',
'url': 'https://github.com/sensepost/notruler'}],
'id': 'attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:48:41.026Z',
'name': 'Outlook Rules',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Microsoft Security'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows', 'Office Suite'],
'x_mitre_version': '1.2'}